Securing Windows NT/2000 Servers for the Internet p age 2 9 Part II: User Safety This part of the book discusses some of the threats to people who use web browsers to access information on the Internet. It draws its examples primarily from Netscape Navigator 3.0 and Microsoft Internet Explorer 4.0, although the material covered is applicable to later versions of those products as well. Securing Windows NT/2000 Servers for the Internet p age 3 0 Chapter 2. The Buggy Browser: Evolution of Risk Web browsers are extremely complex pieces of software that seem to be getting more complex all the time. Every time new features are added, there are more chances for something to go wrong. That's good news for crooks and attackers and bad news for people interested in web security. Most security bugs are fundamentally programming bugs. Fortunately, by understanding the real risks of browsers, it is possible to manage many of their associated risks. 2.1 Browser History The first web browsers were developed by scientists at CERN for publishing papers about high-energy particle physics. These early browsers could display web pages containing text and links to other pages of text. The pages were created with a WYSIWYG (What-You-See-Is-What-You-Get) editor written for NeXT computers and stored in HTML files. Mosaic 2.0, the browser created at the National Center for Supercomputing Applications, introduced the ability to display forms and simple widgets, with text fields, push buttons, radio buttons, and pull-down menus. Combined with CGI (Common Gateway Interface), forms and widgets gave web programmers a kind of generic user interface. It was simple: Display a form, have the user fill in some fields, press a button, and display a new form with new fields to be filled in. 2.1.1 The Return of Block Mode There was nothing fundamentally new about the web's style of computing: IBM computers were doing it in the 1970s on 3270 terminals. Called " block mode," this style of computing involved a simple three-step process: 1. The host computer displayed a form on the user's terminal. 2. The user filled in the fields. Editing was done locally so that it didn't consume expensive communication and centralized CPU resources. 3. Finally, the user clicked the SEND button and the contents of the form were sent back to the central computer. The terminal then waited until the computer sent a new form to display, which started the process all over again. Block mode was as familiar a concept to the users of IBM's OS/360 mainframes in 1976 as it is to people surfing the Internet with Netscape Navigator today. Block mode systems are well-suited to libraries, reference systems, and scholarly journals. Sending commands and waiting for the result emulates other kinds of academic operations, such as turning the pages of a magazine, checking a book out of a library, or doing a long Monte Carlo simulation run on a mainframe computer. Thus, it's not surprising that this was the style developed by a bunch of physicists working in Europe. The mapping was natural. People didn't like block mode much in the 1970s, which is one of the reasons that minicomputers running UNIX and PCs running DOS became so much more popular than IBM's mainframes. People still dislike it today, which is why web developers have been trying to invent ways of breaking the block mode cycle and bringing new kinds of content and new interaction paradigms to the World Wide Web. Since its launch, Netscape has been one of the industry's leaders in breaking the block mode paradigm. Netscape first grabbed attention because its browser displayed GIF and JPEG images as they were downloaded, rather than waiting for the entire image to be downloaded before it could be displayed. Its browser was also substantially faster than Mosaic. The reason is simple: Netscape's creators realized that if they wanted to make the Web commercializable, they would have to add movement, action, and customizability. 9 Ever since then, an increasing number of techniques have been developed both inside and outside the company to fill this need. 9 Mark Stahlman, founder of New York's New Media Association, believes that the reason motion is required for commercialization of the Web is that moving advertisements, such as those on television, are far more effective at selling things to an unsuspecting public than stagnant images and text. Thus, to give Internet-based publishers ways of generating large, television-like advertising revenues, companies such as Netscape had to develop a way to create powerful, television-like advertisements. Securing Windows NT/2000 Servers for the Internet p age 31 2.1.2 <blink> One of Netscape's first attempts at interactivity was the dreaded <blink> HTML tag. Text surrounded by a pair of <blink> and </blink> tags would blink at approximately three times a second. Many people considered the <blink> tag to be an annoyance. 2.1.3 Animation Netscape's next proposal for bringing live action to the Web was to use a sequence of images to create an animated sequence, much in the way that cartoons are animated. Two early approaches for performing animation were server push and client pull, in which either the web server sent or the web browser requested a stream of images, each of which was displayed on top of one another on the same piece of screen real estate. Server push and client pull are not the friendliest way to perform an animation on the Web. That's because each picture that has to be downloaded can consume a hefty chunk of the client's available bandwidth. Some people expressed fears that these techniques would hasten the overloading and eventual collapse of the Internet. A more sophisticated animation technique is the animated GIF, an extension to the GIF file format that allows multiple images to be packed into a single file. Because of the compression technique used, multiframe files that do not have a significant amount of motion are not much larger than the image for a single frame. The animated GIF standard further allows developers to specify how fast the animation should be played and whether or not it should be repeated. Other forms of animation, including the MPEG and MOV formats, offer similar benefits, but with much higher compression. What Do Attackers Want? Nearly all attackers on the World Wide Web have the same goal: they want to be able to run programs of their choosing on your computer without your permission. In particular: • They want to scan your system for confidential documents and transmit them to other systems. • They want to corrupt the information on your computer, or even reformat your computer's hard disk drive. • They want to modify your computer's operating system, leaving traps, creating new security holes, or simply causing your system to crash. • They want to use home-banking applications residing on your computer to transfer money from your bank account to theirs. 2.1.4 Helper Applications Most web browsers can only understand a small, predefined set of data types. For many years, most web browsers could display only ASCII text, HTML text, and images in either GIF or JPEG format. While these four data types provided a good lingua franca for the Web, there are many kinds of data types that can't be readily translated to HTML and images. One way to extend the browser is through the use of helper applications. These are special programs that are run automatically by a web browser when a data type other than ASCII text, HTML, GIF, or JPEG is downloaded. Using helper applications is a flexible, extensible way through which practically any kind of information can be downloaded and displayed. For example, the Progressive Networks RealAudio system works by designating the RealAudio player as a helper application for popular web browsers. When the user clicks on a "real audio" link, a small file is downloaded to the user's computer. The RealAudio player then reads this file and determines where on the Internet it should go to download the actual audio program. This program is then fetched, and the sound is "displayed." Securing Windows NT/2000 Servers for the Internet p age 3 2 Helper applications can also create security problems. That's because the helper applications run on the web user's own computer, but take their input from information provided from the web server. If the helper application has sufficiently powerful features, a malicious web site can use a helper application running on the user's computer against the user's own interests. Many helper applications are downloaded from links that appear on web sites that have data requiring the helper application. A danger here is that there is no way for a person downloading the helper application to be sure that he is downloading an authentic copy of the helper application, and not a version that has been modified to incorporate some nefarious new feature. One of the most powerful application programs is an interpreter for a general-purpose programming language: given the correct input, an interpreter can open, read, modify, or erase files on the computer's hard disk. Many programming languages allow programs to open network connections, allowing them to scan for security problems on other computers. Because they are so powerful, interpreters for general-purpose programming languages should never be made helper applications. Many application programs that do not appear to be general-purpose programming languages nevertheless contain such languages. These applications also should never be used as helper applications. Here are some specific programs that you should never use as helper applications: • Microsoft Word (The Visual Basic extension language that's built into Word can be used to execute many commands on your system. This is the same feature that has enabled macro viruses to spread so widely. Microsoft's Word for Office 97 contains some features that make it harder for macro- based viruses to spread, but it is still far from safe in this context.) • Microsoft Excel (Excel also comes equipped with a Visual Basic programming language, although the Office 97 version does solve some of the problems.) • Any program that includes Microsoft's Visual Basic scripting language • Perl (Perl programs can execute any command.) • Python (Python is another popular scripting language.) • Tcl/Tk (Yet another popular scripting language.) 10 • UNIX shells such as sh, csh, tcsh, or any other UNIX shell • COMMAND.COM, the DOS shell • PostScript interpreters other than GhostView (There are PostScript commands to open, read, and delete files, as well as to execute arbitrary commands. These commands are disabled by default when GhostView is run in its "safe" mode.) If you configure a browser to automatically run one of these programs as a helper application when a document of a certain MIME type is downloaded, then you are trusting the authors of the HTML documents that you are browsing to be gentle with your computer. You are trusting them as surely as if you invited them into your office and proceeded to let them type on your keyboard while you left the room and grabbed some lunch. 11 10 Safe Tcl provides many of the advantages of Java. See http://sunscript.sun.com/ for further information. 11 Note that these programs should also not be enabled for automatic execution upon receipt of MIME encoded mail! Securing Windows NT/2000 Servers for the Internet p age 33 Plug-Ins: Helper Apps Without the Files Despite the security caveat, helper applications are quite useful. They are so useful, in fact, that Netscape developed a system called "plug-ins." A plug-in is a module that is loaded directly into the address space of the web browser program and is automatically run when documents of a particular type are downloaded. By 1997, most popular helper applications, such as the Adobe Acrobat reader, Progressive Networks' RealAudio player, and Macromedia's Shockwave player, had been rewritten as Netscape plug-ins. Plug-ins are fundamentally as risky as any other kind of downloaded machine code. These risks are described in greater detail in Chapter 4. 2.1.5 Programmability The previous section contained an important warning against allowing general-purpose programming languages to be configured as helper applications: the danger is that an attacker could download a program of his or her choosing to your web browser and run it on your computer. Unfortunately, sometimes this sort of flexibility is precisely what is needed by web developers. There are now a variety of programming languages that are being used to write programs that are embedded on web pages and then downloaded to web browsers and run on the user's machine. The run-time environments for these languages are all specially constructed so that programs are not supposed to harm the user (assuming that the designer's definition of "harm" is the same as that of the user, and assuming that there are no errors in the code in the browser to interpret these languages). Some of these languages are: • Java • JavaScript • Visual Basic Script • Macromedia's Shockwave For further information, see Chapter 3. In addition to these languages, Microsoft has proposed a standard for downloaded applications that run directly on the user's machine. This standard is called ActiveX and is described in Chapter 4. The Common Client Interface (CCI ) An early attempt at extending browsers was NCSA's Common Client Interface ( CCI). Now largely abandoned, CCI allowed some versions of the NCSA's Mosaic web browser to be controlled from an HTTP server. Using CCI, Mosaic could be commanded to: • Fetch and display a specific URL. (Useful for slide shows.) • Report the URLs selected and documents viewed by the user. (Useful for monitoring a user's actions.) • Download arbitrary documents to the user's computer. (Useful for downloading lots of individual files.) • Send information about the user back to the HTTP server. Securing Windows NT/2000 Servers for the Internet p age 34 2.2 Data-Driven Attacks It is possible for an attacker to give malicious data to a normally well-behaved application to produce undesirable results. Consider the case of a user who has not followed our advice in the previous section and has set up Microsoft Word as a helper application for files ending in the letters ".doc". Normally there will be no problem at all. But if the unsuspecting user tries to download a particular Microsoft Word file, his computer might become infected with a virus. Or consider a user who is still using Version 3.0 of Microsoft's Internet Explorer - the one with the big security hole. Normally this user will have no problems. But one day, he may chance upon a web page that exploits the bug and erases all of his files. These sorts of attacks are called data-driven attacks, because the type and nature of the attack is determined by data that is downloaded to the user's computer. Most Internet-based attacks are in fact data-driven attacks because they rely on downloading malicious data, rather than programs, to the victim's computer. 12 The remainder of this section looks at a variety of data-driven attacks. 2.2.1 Social Engineering One of the simplest and most effective data-driven attacks is to give the user a message asking him to do something that is unsafe. These attacks are effective because most users are conditioned to follow whatever instructions appear on the computer screen. One unfortunate result of the web's ease of publishing is that attackers can publish information as easily as legitimate data providers can. Here are some types of messages that an attacker might wish to display on a user's screen: • "There is a problem with your account. Please change your password to NowSafe and await further instructions." • "There is a problem with your account and we are unable to bill your credit card. Please enter your credit card number and expiration date in the spaces below and click the SUBMIT button." • "We have detected that you are running an out-of-date version of this web browser software. Please click on this URL to download a new version of the software, then run the program called SETUP.EXE to install it." Recent trends in web extensibility - languages like JavaScript - make it even easier for an attacker to display messages on the computer's screen and make the messages appear to come from legitimate sources. Consider the pop-up window shown in Figure 2.1. This window can ask the user for his or her dial-up password, then send that password to somebody else on the Internet. Although this window looks quite official, it was actually produced by this piece of JavaScript: <script> password = prompt("Please enter your dial-up password",""); </script> Figure 2.1. An official-looking window produced by JavaScript 12 This same problem happens if a webmaster places a copy of the Perl executable in the server's cgi-bin directory. Securing Windows NT/2000 Servers for the Internet p age 3 5 There is no good solution for social engineering attacks other than education. For example, in 1995 America Online modified the interface of its email system software so that the message "Reminder: AOL staff will never ask you for your password or billing information" would constantly be displayed (see Figure 2.2). AOL added this message after a number of social engineering attacks in which attackers asked AOL members for their passwords and credit card numbers, and frequently were rewarded by users who were all too trusting. Figure 2.2. America Online's email client warns users not to provide their passwords Education can be extremely expensive. While AOL's solution is interesting, the general applicability of this technique remains to be seen. 2.2.2 Bug Exploitations Browsers have bugs. Many browser bugs are data-dependent. An attacker with knowledge of these bugs can force a browser to misbehave in a specific manner. The most common way for a browser to fail is for it to crash. On a computer without memory protection, a browser crash can take down the entire computer, creating an effective denial-of-service attack. For example, one bug we know about in the Netscape Navigator HTML layout engine could be exploited in Navigator Versions 1, 2, and 3. The bug causes Navigator to allocate gigabytes of memory, causing Navigator to crash on every platform. On some platforms, the attempt by Navigator to allocate large amounts of memory caused the entire computer to crash. Crashes are not the only way that a browser can fail. If you are really good, you might be able to make a browser fail in such a way that a buffer variable overwrites the program's stack. When the program returns from a function, the contents of the buffer might be executed as program code. This is the sort of technique that was used in 1988 by the Internet Worm. Other attacks have also used this technique as well. 2.2.3 Web-Based Programming Languages Web-based programming languages such as Java and JavaScript can also be used to attack users. Sometimes these attacks are the result of fundamental flaws in the language design. Other times the attacks are made possible by flaws in a particular implementation. These dangers are discussed in detail in the following chapters. Securing Windows NT/2000 Servers for the Internet p age 3 6 2.3 Implementation Flaws: A Litany of Bugs Most web browsers implement a security policy that is designed to protect the user from both malicious eavesdropping and hostile web pages. Unfortunately, bugs in the browser can effectively subvert such a policy, leaving the user open to those attacks. Throughout 1995, Netscape's early browsers were subject to a high degree of scrutiny. Often, reports of these bugs appeared on the front pages of major daily newspapers, rather than the academic press. The public's confidence in Netscape Navigator's security was so shaken, in fact, that Netscape announced that it would pay users up to $1000 for each bug that was discovered. Netscape's theory was that the increased scrutiny that its product received as a result of the bounty program would make the product more secure. Netscape has also made its source code available on some occasions to academics involved in security-related research. Here are some of the more important bugs that were discovered in Netscape Navigator: • In September 1995, Ian Goldberg and David Wagner, two graduate students at the University of California at Berkeley working with professor Eric Brewer, discovered a flaw in the way that the UNIX version of the Netscape Navigator generated random numbers. Instead of seeding the random number generator with a number that was unpredictable, such as the user's mouse motions, programmers at Netscape had decided to use the computer's time-of-day clock, the Navigator's process number, and other information that was trivial to determine. The students discovered that they could determine this information and predict the results of the random number generator. Some articles describing this attack can be found at http://www.cs.berkeley.edu/~iang/press/. • In October 1995, the same group of students discovered an even more impressive attack against Navigator: they could simply patch out the random number generator, so that it always used the same key. • During the first half of 1996, three researchers at Princeton University, Drew Dean, Ed Felten, and Dan Wallach, discovered a number of flaws in the Netscape Navigator 2.0 Java run-time environment. One flaw allowed a malicious applet to open connections to any Internet host, potentially allowing applets running behind firewalls to attack other computers behind a firewall. The Princeton team also discovered numerous flaws that allowed Java applets to execute arbitrary machine code. The Princeton group's findings are summarized at http://www.cs.princeton.edu/sip/. • Early versions of the JavaScript implementation in Netscape Navigator Version 2.0 allowed information from the user's environment to be automatically filled into HTML forms and to then have those forms automatically posted or sent by email to other sites on the Internet. These bugs allowed the creation of web pages that caused the user to reveal his or her email address and browser "history" (the list of URLs previously visited by the browser). • Also under Netscape Navigator Version 2.0, a vandal could create a link on a WWW page that, when clicked, would cause the user to send email with contents and destination of the vandal's choice. This was frequently directed against high-profile targets, such as whitehouse.gov. Users were sending harassing or threatening email without even realizing it! In response to these problems, the U.S. Government's Naval Research Lab, which sets the Navy's computer security policy, finally turned its thumbs down to Netscape Navigator in the fall of 1996. "The NRL Information Systems Security Office recommends that use of all Netscape products be disallowed on computers NRL- wide," wrote Rick Perry, NRL's IS Security Officer, in an internal memorandum. "It should also be noted that Netscape versions prior to Version 2.0 have reported security problems. Even though Netscape claimed to have fixed those earlier problems, the fact that new security vulnerabilities continue to be reported in subsequent releases leads us to conclude that all versions of Netscape are suspect from a security standpoint and should not be used on NRL computers." On October 2, 1996, the U.S. Navy and Microsoft issued a joint press release saying that the Navy had chosen Microsoft's Internet Explorer as its official web browser. But Netscape's bugs weren't necessarily the result of defective programming practices. Security-relevant bugs can be in any program. The bugs might simply have been discovered in Netscape's Navigator because that was where the attention of the security community was focused. Securing Windows NT/2000 Servers for the Internet p age 3 7 As we mentioned in the Preface, on March 3, 1997, Paul Greene, a student at Worcester Polytechnic Institute in Massachusetts, discovered a security-relevant flaw in Microsoft's Internet Explorer Versions 3.0 and 3.0.1. The bug made it possible to create a web page that, when viewed by Internet Explorer, ran any program at all. Greene created a web page (http://www.cybersnot.com/ ) with links that, when clicked, would create directories, delete directories, and run other programs on the user's machine - all in violation of Internet Explorer's security model. Greene's bug had nothing to do with ActiveX or any other Microsoft proprietary technology. The bug was merely the result of an error in Internet Explorer's registry entries, which told Internet Explorer that it was "safe" to open files of type .URL and .LNK without first asking the user. Microsoft's developers swung into action and had a fix for the bug on its web site within 48 hours. But within three days, a bug was found in Internet Explorer 3.0.1 that had the similar consequences. Another bug fix was quickly prepared and released. Securing Windows NT/2000 Servers for the Internet p age 3 8 Chapter 3. Java and JavaScript Java and JavaScript are both languages for adding interactivity to web pages. Both languages can be run on either a web browser or a web server (or even stand-alone). Both languages have a syntax that resembles the C++ language. Despite these apparent similarities, Java and JavaScript are actually two completely different languages with different semantics, different user communities, and different security implications. This chapter explores the security issues in each language. 3.1 Java Although today Java is widely thought of as a language for writing programs that are downloaded over the Internet to web browsers, it wasn't designed for that purpose. Indeed, Java's security model was largely added as an afterthought. To understand the security issues with Java today, it's important to understand the history of the language. Java's history started in 1991 when a group of engineers at Sun Microsystems were hard at work on a stealth project designed to catapult Sun into the world of consumer electronics. Sun envisioned a future in which toasters, remote control systems, stereos, and cable decoder boxes were all programmed using a common computer language with programs that could be easily downloaded over a network. The stealth project was designed to leverage Sun's experience with computer languages, system design, and silicon manufacturing to turn the company into a major supplier for this new world order. The key to dominating this new world was a new computer language developed by James Gosling. Called Oak, the language was designed to produce programs that would be compact and highly reliable. Compactness was necessary because Oak programs were going to be downloaded over networks whenever it was necessary to change them. And reliability was necessary too, because programs in this language had to be able to run for weeks or months at a time without outside intervention: you can't expect to dominate the market if you sometimes need to tell the average American that his toaster oven has to be rebooted to continue operation. Instead of being compiled for a specific microprocessor, Oak was designed to be compiled into an interpreted bytecode that would run on a virtual machine. Simple economics drove the decision to use a virtual machine: a portable bytecode would allow a consumer electronics manufacturer to change its microprocessor without losing compatibility with existing programs. Unlike today's desktop computers, the microprocessor would truly become a commodity. The first test for Oak was an interactive cable TV decoder box that Sun was designing for Time Warner. In April 1993, Time Warner assured Sun that it would be awarded the contract for the interactive cable TV trial because it had superior technology. But on June 14, 1993, Time Warner awarded the set-top box contract to Silicon Graphics, Inc. It was perhaps just as well: interactive cable TV was a failure. 13 In the months that followed, the Oak team repositioned their language for the world of CD-ROMs and multimedia publishing. Oak was designed to create compelling, multiplatform programs. Why not have those programs run on traditional PCs, Macs, and UNIX workstations? Right around that time, another multiplatform phenomenon was sweeping the computer industry: the World Wide Web. That was great for the Oak team: they had a language that was designed to be small and portable. The team quickly realized they could use the Web to download programs to an end user's computer and have the programs run instantly on the user's desktop. In July 1994, Patrick Naughton, a member of the team, wrote a "throwaway" web browser to demonstrate the idea. Within a month, the browser was rewritten from scratch in Oak, and a system for running downloaded applets was designed and implemented. Eight months later, Sun formally announced Java and its HotJava web browser at the 1995 SunWorld tradeshow. That same day, Netscape announced its intention to license Java for use in the Netscape Navigator web browser. 13 Eric Greenberg of Netscape writes, "Jim Clark, Netscape's founder, initially envisioned Mosaic as a product to be used within an interactive cable TV box for programming the programs you wanted to see. This was the first business model for Mosaic. Fortunately, the Mosaic team saw past this pipe dream and quickly focused on the Internet and the enterprise." (Eric Greenberg, personal communication, March 22, 1997) [...]... was downloaded • Limited network connectivity A Java applet could only open network connections to a host whose name appears in a set of preapproved hosts • Limited network connectivity A Java applet could only open network connections on a specified port or ports • No restrictions for applets downloaded from particular machines A corporation might want to use such a policy for code that is downloaded... these policies; the choice was left to the user Most users chose policy 2 The complete list of restrictions for downloaded applets appears in Table 3.1 Table 3.1, Some of the Restrictions on Downloaded Java Applets in the HotJava Browser Restriction Reason Cannot read the contents of files or directories on the client computer Protects the confidentiality of information on the user's computer Cannot write,... of the program's author Most programs that you download will behave as expected But they don't have to Many programs have bugs in them: running them will cause your computer to crash But some programs are malicious: they might erase all of the information on your computer's disk Or the program might seek out confidential information stored on your computer and transmit it to a secret location on the... problem of downloaded programs One area where Java security can be enforced is in the run-time system, which can be used to enforce finegrained control over security policy For example, if an organization decided that Java applets shouldn't be able to send electronic mail, the code could be configured to ensure that Java applets couldn't open a TCP/IP connection to port 25 , the SMTP port.19 One of... vision, programs would only be downloaded by an equipment manufacturer or an approved content provider Java was designed for a closed programmer community and for a somewhat constrained set of target environments When Java was repositioned for the Web, security immediately became a concern By design, the World Wide Web allows any user to download any page from anyone on the Internet, whether it is from... to give or download a program to you for your computer to run One would think that an easy way to defend against this attack would be to inspect all downloaded programs to see if they contain malicious code Unfortunately, it's theoretically impossible to determine what a computer program will do without running it What's possibly even more frightening is the fact that it's frequently impossible to... distributed by downloads as well Already, users have lost thousands of dollars by the actions of hostile programs that they have downloaded and run on their computers These losses are likely to mount as technologies for downloading executable code become more widespread 4.1.1 Card Shark In January 1996, First Virtual Holdings demonstrated a program designed to show how easy it is to compromise a computer system... possible policies that could have been implemented Java, after all, is a flexible language with fine-grained control over the actions of programs Here, for example, are some policies that could have been set for network connectivity: • No network connectivity A Java program could not access the network • Limited network connectivity A Java applet could only open network connections to the host from... write, rename, or delete files on the client computer Protects the user's data from unauthorized modification Cannot initiate a network connection to a computer other than the computer from which the Java applet was downloaded Prevents a downloaded applet from probing for security problems behind an organization's firewall Cannot receive network connections Prevents an applet from appearing to be a legitimate... the security implications of actions you request the application to perform If you choose to download a plug-in, you should know that: * Plug-ins have full access to all the data on your machine * Plug-ins are written and supplied by third parties To protect your machine and its documents, you should make certain you trust both the third party and the site providing the plug-in If you download from . No restrictions for applets downloaded from particular machines. A corporation might want to use such a policy for code that is downloaded from the company's internal "intranet". on the user's machine - all in violation of Internet Explorer's security model. Greene's bug had nothing to do with ActiveX or any other Microsoft proprietary technology. The bug. Although this window looks quite official, it was actually produced by this piece of JavaScript: <script> password = prompt("Please enter your dial-up password","");